Deny third-party cookie creation for prevalent resources without interaction
[WebKit-https.git] / Source / WebKit / ChangeLog
index 0f60cde..364d8e5 100644 (file)
@@ -1,3 +1,42 @@
+2017-09-06  Brent Fulgham  <bfulgham@apple.com>
+
+        Deny third-party cookie creation for prevalent resources without interaction
+        https://bugs.webkit.org/show_bug.cgi?id=175232
+        <rdar://problem/33709386>
+
+        Reviewed by Alex Christensen.
+
+        Prior to Intelligent Tracking Prevention, WebKit would deny the ability to create a third party cookie if the user's
+        settings prohibited it. Due to the internal mechanics of cookie partitioning, we now accept the third party cookie,
+        but destroy it at some arbitrary moment which is difficult for websites to work with.
+        
+        This patch revises WebKit so that attempts to set third party cookies without user interaction fails immediately,
+        which is what sites are expecting from Safari.
+
+        * NetworkProcess/NetworkProcess.cpp:
+        (WebKit::NetworkProcess::updatePrevalentDomainsWithAndWithoutInteraction):
+        (WebKit::NetworkProcess::updateCookiePartitioningForTopPrivatelyOwnedDomains): Renamed to updatePrevalentDomainsWithAndWithoutInteraction.
+        * NetworkProcess/NetworkProcess.h:
+        * NetworkProcess/NetworkProcess.messages.in: Renamed the UpdateCookiePartitioningForTopPrivatelyOwnedDomains message
+        to UpdatePrevalentDomainsWithAndWithoutInteraction.
+        * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+        (WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa): Recognize cases where a network session should block cookies, and
+        use the stateless session so we fail immediately when attempting an invalid cookie set operation.
+        * UIProcess/API/Cocoa/WKWebsiteDataStore.mm:
+        (WebKit::WKWebsiteDataStore::_resourceLoadStatisticsSetShouldPartitionCookies): Use new helper function to clear partitioning state.
+        * UIProcess/WebResourceLoadStatisticsStore.cpp:
+        (WebKit::WebResourceLoadStatisticsStore::WebResourceLoadStatisticsStore): Update for revised naming.
+        (WebKit::WebResourceLoadStatisticsStore::updateCookiePartitioning): Track domains with and without interaction so that we can recognize
+        domains that should be immediately blocked from setting cookies.
+        (WebKit::WebResourceLoadStatisticsStore::updateCookiePartitioningForDomains): Update for revised naming.
+        (WebKit::WebResourceLoadStatisticsStore::scheduleClearPartitioningStateForDomains): Added helper function for testing.
+        * UIProcess/WebResourceLoadStatisticsStore.h:
+        * UIProcess/WebsiteData/WebsiteDataStore.cpp:
+        (WebKit::WebsiteDataStore::updatePrevalentDomainsWithAndWithoutInteraction): Update for revised naming.
+        (WebKit::WebsiteDataStore::enableResourceLoadStatisticsAndSetTestingCallback): Ditto.
+        (WebKit::WebsiteDataStore::updateCookiePartitioningForTopPrivatelyOwnedDomains): Renamed to updatePrevalentDomainsWithAndWithoutInteraction.
+        * UIProcess/WebsiteData/WebsiteDataStore.h:
+
 2017-09-06  Adrian Perez de Castro  <aperez@igalia.com>
 
         [WPE][CMake] Fix path to the WebKitApplicationInfo.h header.